Inadequate access control in C21 Live Encoder and Live Mosaic

Vulnerability

Inadequate access control in the C21 Live Encoder and Live Mosaic product, version 5.3, allows a remote attacker to access the application as an administrator user through the application endpoint, due to lack of proper credential management [1]. The affected versions are C21 Live Encoder and Live Mosaic 5.3.

Exploitation

An attacker with network access to the application endpoint can exploit this vulnerability without any authentication. No special privileges or user interaction are required. By directly accessing the endpoint, the attacker gains administrator-level access [1].

Impact

Successful exploitation grants the attacker full administrative privileges, leading to complete compromise of confidentiality, integrity, and availability of the affected system. The CVSS v3.1 base score is 9.8, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [1].

Mitigation

The vulnerabilities have been resolved by the Cires21 team in the latest software version of the affected products, which was released in the last week of November 2023 [1]. Users should update to the latest version to mitigate this vulnerability. No workarounds are provided in the advisory.